On 12/01/2012 1:18 a.m., Muhammet Can wrote:
Hi all,

I have been trying to get squid running with kerberos auth for a few
days but I'm in some trouble. The problem has been asked and replied
many times on both the squid-users list and on the web, I have read
them all, and tried to solve the problem. But still no luck.

Here is some of my log files and tests.
(config files are prepared with using wiki;
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos)

-->  tail -f cache.log
2012/01/11 11:54:06| squid_kerb_auth: DEBUG: Got 'YR
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' from squid
(length: 59).
2012/01/11 11:54:06| squid_kerb_auth: DEBUG: Decode
'TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' (decoded
length: 40).
2012/01/11 11:54:06| squid_kerb_auth: WARNING: received type 1 NTLM token
2012/01/11 11:54:06| authenticateNegotiateHandleReply: Error
validating user via Negotiate. Error returned 'BH received type 1 NTLM
token'

As no doubt you have seen in those earlier posts type 1 is Negotiate/NTLM. The easiest solution is to use the negotiate_wrapper Marcus developed last year. That should get things working for the users while the details about why NTLM is being used get more of a look at.



-->  tail -f access.log
192.168.0.147 - - [11/Jan/2012:11:54:08 +0200] "GET
http://www.google.com.tr/ HTTP/1.1" 407 1524 TCP_DENIED:NONE
192.168.0.147 - - [11/Jan/2012:11:54:08 +0200] "GET
http://www.google.com.tr/ HTTP/1.1" 407 1524 TCP_DENIED:NONE

I have tested kerberos on the server side with;

-->  klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administra...@labristest.com

-->  kinit -V -k -t /opt/labris/etc/labris-webcache/HTTP.keytab
HTTP/test2008.labristest.com
Authenticated to Kerberos v5

And, on the client side, I have used kerbtray, it seems client has the tickets.

I have captured the packets with wireshark as suggested some of the
earlier messages, it looks like client still tries to authenticate
with NTLM while we want to use kerberos.

Here is the some of the parts of wireshark log;
(if needed, you can get the full log from here: http://pastebin.com/btp9PzYu )

client to server;
Hypertext Transfer Protocol
     GET http://www.google.com.tr/ HTTP/1.1\r\n
         [Expert Info (Chat/Sequence): GET http://www.google.com.tr/
HTTP/1.1\r\n]
         Request Method: GET
         Request URI: http://www.google.com.tr/
         Request Version: HTTP/1.1
     Host: www.google.com.tr\r\n
     User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101
Firefox/8.0\r\n
     Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
     Accept-Language: tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3\r\n
     Accept-Encoding: gzip, deflate\r\n
     Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.7\r\n
     Proxy-Connection: keep-alive\r\n


server reply;
Hypertext Transfer Protocol
     HTTP/1.0 407 Proxy Authentication Required\r\n
         [Expert Info (Chat/Sequence): HTTP/1.0 407 Proxy
Authentication Required\r\n]
         Request Version: HTTP/1.0
         Status Code: 407
         Response Phrase: Proxy Authentication Required
     Server: squid/3.1.12\r\n
     Mime-Version: 1.0\r\n
     Date: Wed, 11 Jan 2012 11:28:01 GMT\r\n
     Content-Type: text/html\r\n
     Content-Length: 1152\r\n
     X-Squid-Error: ERR_CACHE_ACCESS_DENIED 0\r\n
     Proxy-Authenticate: Negotiate\r\n
     X-Cache: MISS from labris-1\r\n
     X-Cache-Lookup: NONE from labris-1:3128\r\n
     Via: 1.0 labris-1 (squid/3.1.12)\r\n
     Connection: keep-alive\r\n
     \r\n


client tries authentication;
Hypertext Transfer Protocol
     GET http://www.google.com.tr/ HTTP/1.1\r\n
         [Expert Info (Chat/Sequence): GET http://www.google.com.tr/
HTTP/1.1\r\n]
         Request Method: GET
         Request URI: http://www.google.com.tr/
         Request Version: HTTP/1.1
     Host: www.google.com.tr\r\n
     User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101
Firefox/8.0\r\n
     Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n
     Accept-Language: tr-tr,tr;q=0.8,en-us;q=0.5,en;q=0.3\r\n
     Accept-Encoding: gzip, deflate\r\n
     Accept-Charset: ISO-8859-9,utf-8;q=0.7,*;q=0.7\r\n
     Proxy-Connection: keep-alive\r\n
     Proxy-Authorization: Negotiate
TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==\r\n
         NTLM Secure Service Provider
             NTLMSSP identifier: NTLMSSP
             NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001)
             Flags: 0xe2088297
             Calling workstation domain: NULL
             Calling workstation name: NULL

That might be important. If the browser is not aware for some reason that it has a Windows domain.

             Version 6.1 (Build 7601); NTLM Current Revision 15
                 Major Version: 6
                 Minor Version: 1
                 Build Number: 7601
                 NTLM Current Revision: 15


Please see me as a newbie,
I'd really appreciate a detailed solution to get squid working with
kerberos and what may cause the problem.

So far as this shows Squid is working well up to the point when the client sends it NTLM response credentials. Those are rejected due to not being Kerberos credentials.

Amos

Reply via email to